5G network slices could be vulnerable to attack, researchers say

5G network slices could be vulnerable to attack, researchers say

Configuration errors and device vulnerabilities could allow attackers to move laterally across 5G network slices.

Credit: Shutterstock / Alexander Yakimov

5G promises increased speed, lower latency, and support for a significantly larger number of connected devices. But the growth in devices and in new applications that will ensue also will expand the attack surface, offering new opportunities for malicious actors to take advantage of security gaps.

Plus, as with any new technology, there is a great deal of potential for misconfigurations, errors, and unpatched vulnerabilities while companies are still learning how to deploy and secure 5G at scale.

About 75% of communication service providers worldwide said that they had experienced up to six security breaches of 5G networks within the past year, according to a November 2022 survey by GlobalData and Nokia. 

Half of the respondents said that they experienced an attack that resulted in the leakage of customer data, and nearly three quarters said that an attack had caused a service outage.

But 5G networks have a great, built-in security advantages over their predecessors, one of which is network slicing—the ability to subdivide networks into multiple virtual networks on top of a single physical infrastructure. Each network can have its own configurations, performance parameters, and quality of service. 

This allows different applications to share the same physical infrastructure but also provides an additional layer of isolation and security, creating barriers to attacker movement.

“5G introduced a large number of technical innovations and improvements to 4G technology, but network slicing was one of the most important,” says Doug Gatto, practice development manager, services, at IT services provider Insight, and security benefits are a major advantage. “It can really reduce the impact of a cyber attack by isolating an attack to one slice.”

However, a misconfigured 5G network slice is vulnerable to multiple threats, including denial-of-service attacks, man-in-the-middle attacks, and basic configuration attacks, he says. And if the slices aren’t designed properly, an attacker could also move from one slice to another, he adds.

Gatto says that he’s sure these kinds of attacks are already taking place, though the threat is a relatively new one, and he hasn’t yet seen public data about specific breaches.

Plus, the idea of 5G network slicing is very new. It requires that a carrier have standalone 5G in place, instead of a 5G layer over an existing 4G LTE network. That infrastructure is now becoming widely available, and carriers are just starting to experiment with slicing.

For example, in February, Singtel announced a 5G security-as-a-slice capability that will become available “in the next few months.” Also in February, Ericsson released a report calling 5G slicing a “near-term opportunity.” 

In March, Verizon’s Bryan Schromsky, managing partner for its public-sector unit, said that Verizon plans to begin implementing network slicing at the end of this year.

But the security risks surrounding 5G network slices are serious enough that, in December, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, issued a warning and offered advice on mitigating these risks.

The security issues aren’t limited to attacks on individual slices; they can also cross between slices if the networks aren’t property secured, the agency says. “Improper network slice management may allow malicious actors to access data from different network slices or deny access to prioritised users,” the report says.

And researchers at Deloitte and Virginia Tech recently conducted a proof-of-concept test and demonstrated that lateral movement was, in fact, possible.

Say, for example, a particular device is connected to one network slice, says Abdul Rahman, associate vice president at Deloitte, “All we need to do is Google the vendor website, find out what the default username and password is, and build a script to try that username and password from different points within the network,” he says.

Then, once an initial slice has been compromised, that access can be used to pivot to other network slices, and compromise data or devices used by other customers.

According to the CISA report, the three biggest threats to 5G network slices are denial-of-service (DoS) attacks, configuration attacks, and man-in-the-middle attacks.

DoS attacks could degrade service across slices

In a DoS attack, a malicious actor floods a network or critical application or component with traffic so every device using the same slice suffers an outage.

According to a report released earlier this year by ENEA AdaptiveMobile Security, denial of service attacks against 5G networks cannot be mitigated with today’s approaches and technologies.

It’s possible for network slices to reduce the reach of DoS attacks by isolating their effect to an individual network segment but only if the infrastructure is properly configured.

But some types of attacks can spill over into other slices if proper preventative measures aren’t taken. For example, if malware compromises an IoT device connected to the 5G network, and it floods the network with messages, it could degrade signal quality for all network slices that share the same spectrum or other physical resources.

Another possibility is that a malicious mobile-edge computing application infects one slice and starts to generate fake and computationally intensive tasks. It will use up edge-computing resources, and, if the malware is able to circumvent compute-resource segmentation policies, it can affect the performance of all the other slices sharing the same edge computing.

Deloitte and Virginia Tech released a report in April summarising denial of service attack vectors for 5G networks.

“It was a contained study within a lab environment,” says Shehadi Dayekh, 5G and edge specialist leader at Deloitte. “But it is practical. And it is possible to create resource constraints on the common infrastructure that both slices are using.”

In addition, network architects might not want to duplicate every network function on each slice, so an attack on a particular network function might affect every slice that uses it, Dayekh says.

In addition, there are some shared resources that all slices have to use. Say, for example, an operator uses 5G network slices to offer private networks to several enterprise clients in the same area.

“They would end up using one cell tower to feed multiple clients,” says Dayekh. “You cannot replicate the cell tower for each and every single client. So if you’ve compromised that specific shared resource, that will end up affecting other clients, as well.”

Configuration attacks can lead to wide compromises

Those same shared resources can also provide an opportunity for malware to spread between slices, Dayekh says. For instance, a network function might use a common set of servers to provide services to different device types from different customers on different network slices.

In this case one customer’s IoT devices might need access to the same network function and its underlying infrastructure as another customer’s connected vehicles.

“These are totally different industries and different clients but are served by the same compute nodes that have the same network function,” he says. If there’s a vulnerability within the IoT device that attackers exploit, they could then push malware to other devices that are connected via the same network function.

IoT devices are notorious security risks because many of them “are old, and many may have firmware that is old and not patched,” he says.

But other network components may also be using default usernames and passwords or have unpatched vulnerabilities, he adds.

Proper configuration of both the network infrastructure and shared network services is key, he says. “Do you have ports that are open? Do you have the right segmentation and not allow users to discover more of these network functions?” he says.

According to CISA, configuration attacks can have a broad range of adverse effects. A malicious attacker may be able to steal data from other users on the same network slice, but if are weaknesses in the way shared components are accessed, attackers can also gain access to another slice.

“In a virtualised architecture it will be more difficult to detect and recognise the types of traffic crossing these networks and mitigate against any new threats,” CISA warns.

Man-in-the-middle attacks endanger data

5G network slices are also vulnerable to man-in-the-middle attacks, CISA says, where an attacker jumps into the middle of an unencrypted conversation between two network participants. There it can listen to their communication to steal data, pass along corrupted data, or shut down or slow the communication.

“Such an attack could be devastating, as misinformation and disinformation could result from the malicious actor modifying the contents of the messages,” CISA says.

How to secure network slices

According to CISA, two key aspects of network slice security are Zero Trust Architecture (ZTA) and continuous monitoring.

ZTA, together with multi-layer security, encryption, and isolation, can help defend data and systems from attacks within individual slices and across different slices.

Monitoring can detect malicious activity, but many tools focus on performance and not on malicious attacks, the agency warns.

Network operators want to have performance monitoring and quality-of-service monitoring, says Insight’s Gatto. “But you actually need control-plane monitoring, monitoring the logic of the actual network to make sure it’s protected against any malicious actors.”

Operators should also consider anomaly-detection and intrusion-prevention systems, he adds. These can identify and stop dangerous behaviors.

Network security starts with having good visibility, says Deloitte’s Dayekh. “Knowing where your infrastructure is, knowing what resources each component is using, tracking IoT devices, and tracking connected devices, whether known or unknown devices. Once you have that visibility, you can start applying policies and rules around securing that connectivity.”

However, the expansion and deployment of Kubernetes services and containerised deployment of telecommunication functions present a challenge for carriers, says Deloitte’s Dayekh.

“It’s becoming harder and harder to have that visibility and control over network traffic and over access, and it’s just adding to the complexity of visibility, detection, and response,” he says. “Especially when you have hundreds if not thousands of new devices joining the network every single day.”

Finally, carriers need to have a plan for when prevention measures fail.

It’s important to be prepared for an attack if one does occur, says Dayekh. “What is your plan of action if something falls down? You should have a method in order to control and be able to prevent any further damage in your network,” he says.

Real-world attacks have yet to surface

Deloitte runs tests on its lab environments that are connected to major cloud hyperscalers, Dayekh says. “You can tell that IoT devices have multiple vulnerabilities, open ports, and outdated software,” he says. “It’s clear, if you look at it, that major organisations don’t have, at this point, the full visibility into what’s connected, to begin with.”

Dayekh says he hasn’t seen successful attacks on vulnerable slices in the wild, but, “I am sure that these slices exist, and I’m sure the same vulnerabilities apply to those slices.”

Insight’s Gatto says he also hasn’t seen public-facing data about network slices being successfully attacked, “but it probably is happening.”

One ray of hope is that, in the short term, network slicing attacks are going to be harder to accomplish because of the way cellular technologies work, says Gatto. “5G, in general, is secure by default, unlike Wi-Fi, which is open by default, so it would be harder to compromise.”

With Wi-Fi, all you need is a password or some type of secure certificate exchange to join a network, but with 5G, you’ll need a physical SIM card or an eSim even to join a network or network slice, he says.

The attacks themselves would need to be considerably complex in order to succeed, says Chester Wisniewski, field CTO of applied research at global cybersecurity firm Sophos. “To date, almost no one outside of a nation-state has the resources to conduct an attack like this effectively,” he says.

Still, Wisniewski urges caution.

“If you are adopting 5G for mission-critical applications, you shouldn’t assume it will always be available and unhackable,” he says. “Like any device communicating over a public network, devices should always use encryption and verify both client and server identities before communicating.”

Tags 5G Networksnetwork slices

Show Comments